CVE-2024-7052

4.8 MEDIUM

Cross-Site Scripting

📋 TL;DR

This vulnerability allows administrators in WordPress multisite installations to inject malicious scripts into Forminator Forms plugin settings. The stored XSS payload executes when other users view the affected settings pages, bypassing WordPress's unfiltered_html security restriction.

💻 Affected Systems

Products:

• Forminator Forms WordPress Plugin

Versions: All versions before 1.38.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress multisite installation or unfiltered_html capability restriction. Single-site WordPress with default admin privileges may be less affected.

📦 What is this software?

Forminator Forms by Wpmudev

View all CVEs affecting Forminator Forms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors.

🟠

Likely Case

Privileged user account hijacking, session theft, or unauthorized actions performed by compromised admin accounts.

🟢

If Mitigated

Limited impact with proper user privilege management and content security policies in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin-level access. Public proof-of-concept available through WPScan.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.38.3

Vendor Advisory: https://wpscan.com/vulnerability/4e52cab5-821c-4ca8-9024-67f716cf78fe/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Forminator Forms plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.38.3+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable Forminator Forms plugin until patched

Copy

wp plugin deactivate forminator

Restrict Admin Access

all

Temporarily limit administrator accounts to trusted users only

🧯 If You Can't Patch

• Implement Content Security Policy (CSP) headers to restrict script execution
• Enable WordPress security plugins with XSS protection features

🔍 How to Verify

Check if Vulnerable:

Copy

Check plugin version in WordPress admin → Plugins → Forminator Forms

Check Version:

Copy

wp plugin get forminator --field=version

Verify Fix Applied:

Copy

Confirm plugin version is 1.38.3 or higher

📡 Detection & Monitoring

Log Indicators:

• Unusual admin activity modifying form settings
• JavaScript payloads in form configuration data

Network Indicators:

• Suspicious script tags in form submission endpoints

SIEM Query:

Copy

source="wordpress" AND (event="plugin_update" OR event="settings_change") AND plugin="forminator" AND version<"1.38.3"

📊 Metadata

CVE ID: CVE-2024-7052

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.09% exploit probability (24.9th percentile)

Published: February 14, 2025

Last Updated: May 14, 2025

🔗 References

• https://wpscan.com/vulnerability/4e52cab5-821c-4ca8-9024-67f716cf78fe/ Exploit,Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7052, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)

CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)

CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)